Deprecate in-process cache

For a long time now if you don't configure memcache then auth_token middleware would cache the tokens in process memory. This is not the job of auth_token middleware. If you need to cache you should configure memcache otherwise auth_token will authenticate with keystone for every token request. As such, this feature is deprecated and may be removed in the 5.0.0 release or the "O" development cycle (whichever is later). Change-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a
2016-01-22 10:32:42 -06:00 · 2016-01-22 10:32:42 -06:00 · f1aa4866c1
commit f1aa4866c1
parent 70a9754ae6
2 changed files with 31 additions and 3 deletions
--- a/keystonemiddleware/auth_token/_cache.py
+++ b/keystonemiddleware/auth_token/_cache.py
@ -19,7 +19,7 @@ import six
 from keystonemiddleware.auth_token import _exceptions as exc
 from keystonemiddleware.auth_token import _memcache_crypt as memcache_crypt
 from keystonemiddleware.auth_token import _memcache_pool as memcache_pool
-from keystonemiddleware.i18n import _, _LE
+from keystonemiddleware.i18n import _, _LE, _LW
 from keystonemiddleware.openstack.common import memorycache


@ -54,8 +54,18 @@ class _EnvCachePool(object):
 class _CachePool(list):
    """A lazy pool of cache references."""

-    def __init__(self, memcached_servers):
+    def __init__(self, memcached_servers, log):
        self._memcached_servers = memcached_servers
+        if not self._memcached_servers:
+            log.warning(_LW(
+                "Using the in-process token cache is deprecated as of the "
+                "4.2.0 release and may be removed in the 5.0.0 release or "
+                "the 'O' development cycle. The in-process cache causes "
+                "inconsistent results and high memory usage. When the feature "
+                "is removed the auth_token middleware will not cache tokens "
+                "by default which may result in performance issues. It is "
+                "recommended to use  memcache for the auth_token token cache "
+                "by setting the memcached_servers option."))

    @contextlib.contextmanager
    def reserve(self):
@ -125,7 +135,7 @@ class TokenCache(object):
                                       **self._memcache_pool_options)

        else:
-            return _CachePool(self._memcached_servers)
+            return _CachePool(self._memcached_servers, self._LOG)

    def initialize(self, env):
        if self._initialized:
--- a/releasenotes/notes/deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml
+++ b/releasenotes/notes/deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml
@ -0,0 +1,18 @@
+---
+deprecations:
+  - >
+    With the release of 4.2.0 of keystonemiddleware we no longer recommend
+    using the in-process token cache. In-process caching may result in
+    inconsistent validation, poor UX and race conditions.
+
+    It is recommended that the `memcached_servers` option is set in the
+    `keystone_authtoken` configuration section of the various services (e.g.
+    nova, glance, ...) with the endpoint of running memcached server(s).
+
+    When the feature is removed, not setting the `memcached_servers`
+    option will cause keystone to validate tokens more frequently, increasing
+    load. In production, use of caching is highly recommended.
+
+    This feature is deprecated as of 4.2.0 and is targeted for removal in
+    keystonemiddleware 5.0.0 or in the `O` development cycle, whichever is
+    later.